Professional Documents
Culture Documents
October 2023
Products Services
1 AppDefend Overview
4 AppDefend Features
5 Q&A
Safe Harbor Statement
1 AppDefend Overview
4 AppDefend Features
5 Q&A
Integrigy AppDefend
▪ 12.2.x
▪ 12.1.x
Oracle E-Business Suite [1]
▪ 12.0.x
▪ HP PA-RISC HP/UX
▪ IBM AIX
[1] For 12.0.x, application server Java version must be upgraded to JDK 1.6. [2] For 11.5.x, OS version must be supported by JDK 1.8.
AppDefend and Oracle EBS 12.2
OA Framework (OA/RF.jsp)
11,600 pages
AppDefend
https
Client Apache
Core Servlets Database
Browser
WebLogic 30 servlet classes APPS
Oracle Forms
4,000 forms
▪ AppDefend runs within the WebLogic Java containers as a servlet filter and Java agent that monitors all
incoming requests, out-going responses, and key method calls. Being in the Java container, AppDefend
can access all session state, attributes, error messages, EBS APIs, and the database.
AppDefend and Oracle EBS 12.0 & 12.1
OA Framework (OA/RF.jsp)
11,600 pages
AppDefend
https
Client Apache
Core Servlets Database
Browser
OC4J
30 servlet classes APPS
Oracle Forms
4,000 forms
▪ AppDefend runs within the Oracle E-Business Suite OC4J containers as a servlet filter and Java agent
that monitors all incoming requests, out-going responses, and key method calls. Being in the OC4J
container, AppDefend can access all session state, attributes, error messages, APIs, and the database.
AppDefend and Oracle EBS 11i
OA Framework (OA/RF.jsp)
11,600 pages
AppDefend
https
Client Apache
Core Servlets Database
Browser
JServ
30 servlet classes APPS
Oracle Forms
4,000 forms
▪ AppDefend runs as a reverse proxy on the Oracle EBS application server intercepting all requests and
responses. AppDefend is able to act as an SSL/TLS termination point due to the vulnerabilities in the
EBS SSL libraries.
AppDefend Features
▪ Support for all EBS architectures like shared APPL_TOPs and DMZ
servers
▪ AutoConfig customization
1 AppDefend Overview
4 AppDefend Features
5 Q&A
SQL Injection Explained
http://<server>/pls/VIS/fnd_gfm.dispatch?p_path=fnd_help.get/U
S/fnd/@search');%20fnd_user_pkg.updateUser('operations',%20'SE
ED',%20'welcome1
Oracle EBS executes appends SQL to the SQL statement being executed
▪ SQL executed as APPS database account
▪ Example changes any application account password
<script>alert(0)</script>
<iframe src="javascript:alert(0)">
<object data="javascript:alert(0)">
with(document)alert(cookie)
eval(document.referrer.slice(10));
</a onmousemove="alert(1)">
data:text/html,<script>alert(0)</script>
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
<ScRIPT x src=//0x.lv?
Cross Site Scripting References
1,041
Oracle EBS Web Vulnerabilities Fixed
~90 Authorization/Authentication
~7 Non-EBS Vulnerabilities
OWASP Top 10 – Oracle E-Business Suite Mapping
High Risk
A9: Security Logging A10: Server-side
and Monitoring Request Forgery Medium Risk
Failures (SSRF)
Low Risk
http://www.owasp.org/index.php/Top_10
WASC Threat Classification
Web Application Firewalls (WAF) are specialized firewalls designed to detect and
prevent web application attacks by analyzing the HTTP web requests.
OA Framework (OA/RF.jsp)
11,600 pages
https Apache
Client
Core Servlets Database
Browser
OC4J 30 servlet classes APPS
WebLogic
Oracle Forms
4,000 forms
▪ All Oracle E-Business Suite environments include ALL modules (250+) and ALL web pages
(20,000+) even if modules are not installed, licensed, or configured. Many security
vulnerabilities exist in unused modules.
Oracle EBS R12 DMZ Configuration
Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
https
URL FIrewall
Client Apache
Database
3
Browser Core Servlets
OC4J 30 servlet classes APPS
WebLog
Oracle Forms
4,000 forms
▪ Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules. (See MOS Note ID 380490.1)
Oracle EBS 11i Web Components
Non-EBS
Component 11i Version Release Date
Desupport1
Oracle
1.0.2.2.2 Dec 2001 June 2004
Application Server3
1. Oracle EBS 11i web components are desupported but had support exceptions for 11i environments through January 2016. As of
January 2016, all support for 11i and associated technology stack components has ended.
2. OpenSSL updated from 0.9.5a to 0.9.8zh with July 2015 Critical Patch Update for OAS 1.0.2.2.2.
3. Security vulnerabilities are patched but version is not upgraded.
AppDefend Virtual Patching
For each quarterly Oracle CPU, Integrigy performs an analysis and updates
the AppDefend rule set to include virtual patch rules for all external and
internal web vulnerabilities
Analyze all user provided input to identify and block malicious input
– OWASP ESAPI
1 AppDefend Overview
4 AppDefend Features
5 Q&A
SSO Benefits for Oracle E-Business Suite
▪ Reduce IT costs
– Fewer support calls for password resets and authentication issues
▪ Improve security
– Reduce risk of password theft due to password fatigue
– Enhance password strength with fewer passwords
– Enables enforcement of stronger and more realistic password policies
▪ Improve compliance
– Single point of user termination across applications
– Simplify user and password management
– Implement additional account controls like risk-based authentication
Oracle E-Business Suite User Populations – SSO and MFA
AppDefend SSO and MFA can be tailored to specific Oracle EBS user populations and
configured with different SSO and MFA methods for each user population. Mix and match
SSO and MFA even multiple SSO solutions for different groups of internal users.
(1) TOTP
External Users – Suppliers FND_USER
(2) SMS
(iSupplier) (3) Email
(4) no MFA
(1) TOTP
External Users – Candidates/Customers FND_USER
(2) SMS
(iRecruitment/iStore) (3) Email
(4) no MFA
AppDefend SSO Feature (SAML)
▪ Multiple Modes
– Oracle E-Business Suite SSO Provider (system profile options)
– AppDefend servlet filter
– Direct SSO to Oracle E-Business Suite
– WebADI and EBS mobile applications are fully supported
▪ Secure Implementation
– Oracle EBS Session cookie set to “host” rather than “domain”
AppDefend SSO SAML Flow – High-level
3 User logins through Identity Provider and is redirected back to Oracle EBS – AppDefend signs user in
SAML SAML
configuration configuration
AppDefend SSO SAML Flow
IdP generates SAML response with username SAML response with username is AppDefend validates SAML response
6 and returns to browser with redirect to SP 7 redirected to SP URL 8 and creates EBS session using EBS API
Load Balancer/
Reverse Proxy Oracle E-Business Suite Application Server (12.0, 12.1, 12.2)
Oracle EBS Java Container
AppDefend SSO SAML Flow (EBS SSO Configuration)
EBS redirects to
specified SSO URL 2
IdP generates SAML response with username SAML response with username is AppDefend validates SAML response
8 and returns to browser with redirect to SP 9 redirected to SP URL 10 and creates EBS session using EBS API
Load Balancer/
Reverse Proxy Oracle E-Business Suite Application Server (12.0, 12.1, 12.2)
Oracle EBS Java Container
AppDefend SSO SAML Flow (SSO Homepage)
IdP generates SAML response with username SAML response with username is AppDefend validates SAML response
4 and returns to browser with redirect to SP 5 redirected to SP URL 6 and creates EBS session using EBS API
Load Balancer/
Reverse Proxy Oracle E-Business Suite Application Server (12.0, 12.1, 12.2)
Oracle EBS Java Container
AppDefend SSO SAML Security
1
▪ AppDefend protects access to all Oracle EBS
URLs
▪ Must be authenticated to access any URLs
except specific pages such as iStore or
iSupplier registration
2
▪ SAML request is signed (SHA-512 if supported
by IdP) and encrypted (AES-256) using IdP
public key
▪ SAML request should be communicated using
TLS 1.2 or 1.3 based on your configuration
6
▪ SAML response is signed (SHA-512 if
supported by IdP) and encrypted (AES-256)
using AppDefend public key
AppDefend can map Identity Provider user to Oracle E-Business Suite user using different
attributes or values from both the Identity Provider and Oracle E-Business Suite. Multiple
match rules can be defined and evaluated per login.
▪ Improve security
– Enable strong authentication
– Reduce risk of compromised passwords
▪ Improve compliance
– PCI-DSS requires MFA required for access in some situations
– GDPR, HIPAA, and other standards require strong authentication
▪ Contextualize authentication
– MFA can be when specific data is accessed or actions performed like employee self-service direct
deposit changes
AppDefend Adaptive Multi-Factor Authentication
Failed
▪ Application-aware
– 2FA for login, user, responsibility, function, or page
– Multiple 2FA authentications can be configured for different use cases and controls
▪ Context-aware
– 2FA may be triggered based on session context such as time, location, device, etc.
▪ Entire Application
– Require 2FA when logging into Oracle EBS
▪ Privileged Responsibilities
– Require 2FA when user accesses specific responsibilities like System Administrator
– Protect highly privileged responsibilities from malicious use
▪ Privileged Users
– Require 2FA when highly privileged users like SYSADMIN login
– Preventative control for privileged, generic users accounts for SOX compliance
– Limit access to generic user accounts by 2FA devices
– Audit trail of named users accessing generic user accounts
SSO Non-SSO
Responsibility Page/Function
User Login User Login
AppDefend MFA
(with or without SSO SAML) ✓ ✓ ✓ ✓
AppDefend MFA can be used to protect Oracle E-Business Suite privileged, generic accounts
(GA), such as SYSADMIN. Multiple options to protect generic accounts and a different option
may be used for each generic account.
Logged into
2. FND_USER Named User EBS login Login page for
EBS as GA if
profile option and/or authorized user list as GA named user
user allowed
2FA using
3. MFA Solution such as DUO EBS login
assigned 2FA
Logged into
as GA EBS as GA
authorized in MFA solution for GA
4. Identity Provider (IdP) Direct IdP User’s App Click GA Logged into
authorized in IdP to access GA Homepage assigned Tile EBS as GA
AppDefend Generic Account Protection Example Scenarios
A client with about 30 generic accounts used for various purposes configured AppDefend MFA
to protect the generic accounts. Scenarios for one generic account to many named users, many
generic accounts to one named user, and many generic accounts to many named users can all
be easily configured and maintained. All logins including named user are monitored and logged.
▪ Tile in IdP
▪ Assigned by IdP group
SYSADMIN SYSADMIN
▪ Tightly controlled, limited to DBAs
▪ SYSADMIN password not known by DBAs
1 AppDefend Overview
4 AppDefend Features
5 Q&A
Application Logging and Auditing
Log and audit key application and security events beyond Oracle EBS
current capabilities
▪ PCI logging includes all sessions, responsibilities, and potentially card number
access through the application
▪ Log data can be sent to external systems such as Splunk, ElasticSearch, ArcSight,
QRadar, LogRhythm, Microsoft Sentinel, AWS CloudWatch, …
▪ Solves gaps in Oracle EBS logging such as IP address for failed logins
AppDefend Processing
Updates Exceeded
Thresholds
Match
Rules
Match
Request &
path inclusion Actions
Response
arguments
operators
No Match
Log file
Syslog
E-mail
Database
Next
Rule
AppDefend Permit Rule
AppDefend
https
Client Apache
Browser Core Servlets Servlets filtered by Database
OC4J
30 servlet classes
APPS
module rules
Oracle Forms
Oracle Forms
blocked for external
4,000 forms
access
AppDefend allows access to only permitted Oracle EBS modules based on a group of white-listed
modules. Individual files may be permitted also. Web page and OA Framework customizations are
supported.
AppDefend Arguments
AppDefend rules and alerts may use one or more of these arguments.
request.file_name request.query_string
AppDefend Operators
beginswith inlist
byterange notinlist
contains ipmatch
notcontains notipmatch
endswith less
equals lesseq
exists regex
greater within
greatereq notwithin
ingroup
notingroup
AppDefend Actions
Redirects the request to a specified full URL or relative URL for the site such as
Redirect the Oracle EBS error page
Block the request by returning the specified HTTP error code such as 403
Block Forbidden
Pause the request for the specified number of milliseconds perhaps to slow
Pause down a brute force attack
Sanitize one or all parameters and headers in the request to prevent XSS,
Sanitize HTML injection, or SQL injection
Stop the processing of all subsequent AppDefend rules. The Stop action is
Stop useful to minimize AppDefend analyzing static request such as images, etc.
1 AppDefend Overview
4 AppDefend Features
5 Q&A
Integrigy Contact Information
web – www.integrigy.com
e-mail – info@integrigy.com
Integrigy Corporation
blog – integrigy.com/oracle-security-blog
youtube – youtube.com/integrigy